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ra PageSpeed Insights 


A Serve static assets with an efficient cache policy — 10 resources found 
^ Avoid chaining critical requests — 4 chains found 


^ Keep request counts low and transfer sizes small — 26 requests * 681 KB 


Passed audits (21) 


€ Eliminate render-blocking resources — Potential savings of 40 ms 


9 2 € Properly size images — Potential savings of 24 KB 
O Defer offscreen images — Potential savings of 9 KB 
® Minify CSS 
http S: / /yu rets. p ro / ® Minify JavaScript — Potential savings of 159 KB 
€ Remove unused CSS 
€ Efficiently encode images 
€ Serve images in next-gen formats — Potential savings of 16 KB 
€ Enable text compression 
€ Preconnect to required origins 
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Chrome 


Resource Scheduling 


Queueing 


Connection Start 
Stalled 
DNS Lookup 
Initial connection 


SSL 


Request/Response 


Request sent 


Waiting (TTFB) 


Content Download 
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Browser Network Timings 


DURATION 
1.95 ms 


DURATION 
0.86 ms 
1.48 s 
819.32 ms 
512.02 ms 


DURATION 
80 ps 
307.07 ms 
1.49 ms 


Firefox 


Request Timing 


Blocked: 
DNS Resolution: 
Connecting: 


EEN: ||: 
| 282 ms 
4 246 ms 
TLS Setup: I 293 ms 
Sending: | 0 ms 
Waiting: E 299 ms 
Receiving: | O ms 
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Final Stats 


99% latency ms 


Ratio 1 0x (Tuned + GEO) or up to 1 second :) 
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dnsperf.com 


Sectigo 
Cloudflare 
DigitalOcean 
LimeLight DNS 
WordPress.com 
Route53 

Azure 

Google Cloud 
Afraid.org 
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DNS resolution 


10.07 ms 
10.79 ms 
11.5 ms 
14.67 ms 
14.96 ms 
29.87 ms 
40.65 ms 
56.92 ms 
124.39 ms 
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Let's Test it =) 


Provider NS example Domain - 


ns-81.awsdns-10.com 
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DNS resolvers: 


8.8.8.8 Google 1.1.1.1 Cloudflare 
9.9.9.9 IBM 208.67.222.222 OpenDNS 


Resolver/NS google [amazon microsoft cloudflare | hoster.by m afraid.org 


Google 5400 1259 2400 751 0200 4400 780.87 


Cloudlare 5400 1251 2451 [751 [10302 4400 447.57 
pu (5400 1200 2400 7.02 851 400 [72.10 
OpenDNS 400 [13.00 2400 ba 8051 4502 423.06 
Average (ms) [54.00 [12.53 [2413 ` 93.51 |4426 — 
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99% NS responce time (ms) 


500.0 455.9 M cloudflare 
12ms aws VS 54ms google M amazon 
M microsoft 
E reg 

M google 
UM hoster 


44ms reg VS 93ms hoster oe 
300.0 
im afraid.org 


200.0 


Up to 450 ms delay 


on afraid.org 
100.0 


0.0 


Average (ms) 


Start INTRO DNS TCP TLS HTTP Sum up End ća: HighLoad++ 
®—®——Ô——O——O O——O—e ay) De 


Start INTRO DNS TCP TLS 


e——9— —(—— —0———0—— 


HTTP 


e 


DNS 


Sum up End 
O——e 


TCP (Connecting) 


1 RTT (Round-trip time) 


TCP Connection: SYN => SYN-ACK => ACK 


Improvements: 
- CDN Static 
- CDN Dynamic 
- Geo server distribution + Geo DNS 


A Chris 
@ChrisBernie42 


Due to #COVID—19, all TCP applications will be 
converted to UDP to avoid handshakes. sợ 
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GEO DNS 


Pip 
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Route53 
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Name a Type» Value Geolocation- SetID 


demo.yurets.online. A 34.84.69.230 default - jp 
demo.yurets.online. A 35.228.190.16 EU europe 


Routing Policy: Geolocation 


Route 53 responds to queries based on the locations from which DNS queries originate 
Location: | Default 


Set ID: default - jp 


Description of this record set that is unique 
within the group of geolocation sets. 
Example 


Route to Seattle data center 
Routing Policy: Geolocation 


Route 53 responds to queries based on the locations from which DNS queries originate 
Location: | Europe 


Set ID: europe 


Description of this record set that is unique 
within the group of geolocation sets. 
Example 


Route to Seattle data center 


TCP connection time depending on Geolocation 


99% latency ms 


Server User location 


EU response ms 


Japan response ms 


diff 


Geo DNS time savings up to 250-300ms per RTT 
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TCP Fast Open (TFO) 


Checking on client: 


Checking on server: 


$ grep '^TcpExt:' /proc/net/netstat | cut -d ' ' -f 84-90 | column -t 
TCPSYNChallenge TCPFastOpenActive TCPFastOpenActiveFail TCPFastOpenPassive 
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TCP Fast Open (TFO) 


Checking TFO on server: 
cat /proc/sys/net/ipv4/tcp fastopen 


0 - disabled. 

1 - only client (on outgoing connections) 
2 - only server (on listening sockets) 

3 - client + server 
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Enabling TFO: 


echo "3" > /proc/sys/net/ipv4/tcp_fastopen 


or 


echo "net.ipv4.tcp_fastopen=3" | sudo tee -a 


/etc/sysctl.conf 
sudo sysctl -p /etc/sysctl.conf 


Adding fastopen to nginx config: 


listen 80 fastopen=256 
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TLS setup 


0-2 RTT (Round-trip time) 


Netscape O 
Navigator 2.0 
| SSL v3 1996 [^ 1.1 2006 DS 1.3 2018 
1995 2000 2005 2010 2015 
TLS 1.0 1999 TLS 1.2 2008 
Start INTRO DNS TCP HTTP 


eo ——o ——0——0——0 —- 


1^ HighLoad 
Gé eg 


TLS 1.2 (2 RTT) vs TLS 1.3 (1RTT) 


curl -v output: 


3 (OUT), TLS handshake, Client hello (1): 
TLSv1.3 (IN), TLS handshake, Server hello (2): 
TLSv1.2 (IN), TLS handshake, Certificate (11): What TLS looks like: 
TLSv1.2 (IN), TLS handshake, Server key exchange (12): 

TLSv1.2 (IN), TLS handshake, Server finished (14): 

2 (OUT), TLS handshake, Client key exchange (16): 

2 


(OUT), TLS change cipher, Change cipher spec (1): 
(OUT), TLS handshake, Finished (20): 
TLSv1.2 (IN), TLS handshake, Finished (20): 


SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 
TLSv1.3 (OUT), TLS handshake, Client hello (1): 


TLSv1.3 (IN), TLS handshake, Server hello (2): 

TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): 
TLSv1.3 (IN), TLS handshake, Certificate (11): 

TLSv1.3 (IN), TLS handshake, CERT verify (15): 

TLSv1.3 (IN), TLS handshake, Finished (20): 

TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): 
TLSv1.3 (OUT), TLS handshake, Finished (20): 


SSL connection using TLSv1.3 / TLS AES 256 GCM SHA384 
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TLS Handshake 


Client 17912 server Client TLS1.3 server 


Client Hello Client Hello 
Server Hello 


Supported cipher suites Server Hello Supported cipher suites 


Key share Chosen cipher suite 


Key share 


Chosen cipher suite 
Key share 
Key share Certificate & signature Certificate & signature 


Finished 


Finished Finished 


HTTP GET 


pove RES po a 
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TLS 1.2 vs 1.3 
HTTPSTAT 
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TLS 1.2 vs TLS 1.3 


99% latency ms 


Server / User location 
TLS 1.2 JP response ms 


TLS 1.3 JP response ms 
270 | (131 | 
196.4% 196.3% 


1 RTT benefit 
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TLS 1.3 0-rtt 


TLS 1.2 ILS 13 TLS 1.3+0-RTT 


Se 


100ms 


Stat INTRO DNS TCP. TS HTTP Sum up 
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TLS 1.3 0-rtt 


nginx > 1.15.4, OpenSSL 1.1.1 or higher or BoringSSL 


ssl protocols TLSv1.3; 
ssl early data on; 
proxy set header Early-Data $ssl early data; 
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TLS 1.3 0-rtt 


Checking: 


host=t1s13-Ortt.yurets.online # replace with your server name 

echo -e "HEAD / HTTP/1.1\r\nHost: $host\r\nConnection: close\r\n\r\n" > request.txt 
openssl s client -connect $host:443 -tls1 3 -sess out session.pem -ign_eof < request.txt 
openssl s client -connect $host:443 -tls1 3 -sess in session.pem -early data reguest.txt 


Early data was accepted 
Verify return code: 0 (ok) 


HTTP/1.1 200 OK 
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RSA key length 


RSA Decryption time by key length 


1200 
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5 
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512 768 1024 1280 1536 1792 2MB 2304 2560 2916 3072 3328  35B4 BA 46 
Key (modulus) length, bits 


With every doubling of the RSA key length, decryption is 6-7 times slower. 
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TLS config best practice 


ma Ter MEN SSL Configuration Generator 


Server Software Mozilla Configuration Environment 
Apache MySQL O Modern Server Version | 1.16.1 
AWS ALB O nginx services with clients that support TLS 1 
AWS ELB Oracle HTTP ed der C iai. OpenSSL Version 1.1.1 
Caddy Postfix Intermediate 
Dovecot PostgreSQL seneral-purpose servers with a variety of clients Miscellaneous 
Exim ProFTPD mean 
Golang Tomcat Old HTTP Strict Transport Security 
HAProxy Traefik CO ma nana rama o aia EEE EN NEE ble 
lighttpd mne mn 


OCSP Stapling 


https://ssl-config.mozilla.org/ 


Start INTRO DNS TCP TLS HTTP Sum up End 


LÀ HighLoad 
e——6 o e O O O——e io 


Start INTRO 
*—o 


TLS 
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HTTP 
(Sending-Waiting-Receiving) 


1 RTT (REQUEST=>RESPONSE) 


HTTP Version 


1997 |1.1 


STILIUSINGHTIP 11 


2015 |2.0 


HTTP/2 


Client Server Client Server Client Server 


GET index htmi 


HTTP/1.1 HTTP/2 (no Push) HTTP/2 (with Push) 
— Request m Response EEI E1 MA Resources 
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HTTP/1.1 vs HTTP/2 


A Test it: 


¿NEW INTERNET 
P 


TCP+TLS+HT 
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HTTP3 QUIC 


MEDI CUBRE 


Enable HTTP/3 


Compile nginx manual: 
https: //github.com/cloudflare/quiche/tree/master/extras/nginx*readme 


docker image: ymuski/nginx-quic 


Nginx config: 


listen 443 quic reuseport; 
add_header alt-svc 'h3-29=":443"; ma=86400'; 
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(ee: 


Ó HTTP/3 CHECK 


Test HTTP/3 


Test online: 
https://www.http3check.net http3.yurets.online 


SEARCH 


STANDARD 


http3.yurets.online = 


v QUIC is supported 


Y HTTP/3 is supported 
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Test HTTP/3 


Compile curl manual: 


https: //github.com/curl/curl/blob/master/docs/HTTP3.md 
docker image: ymuski/curl-http3 


docker run -it --rm ymuski/curl-http3 curl -Lv https://http3.yurets.online --http3 


nginx log: 


13.48.179.147 - - [19/Feb/2020:13:47:48 +0000] "GET /hello HTTP/3" 200 12 "-" "curl/7.69.0-DEV" 
46.53.240.56 - - [19/Feb/2020:13:47:48 +0000] "GET /hello HTTP/3" 200 12 "-" "curl/7.69.0-DEV" 
INTRO o o o HTTP O ge (aL) HighLoaci++ 


docker run -tt --rm ymuski/curl-http3 curL -Lv https: 
Trying 35.187.196.211:443... 

Sent QUIC client Initial, ALPN: h3-25h3-24h3-23 

h3 [:method: GET] 

ha [:path: 7| 

h3 [:scheme: https] 

h3 [:authority: http3.yurets.online] 

h3 [user-agent: curl/7.69.0-DEV] 

h3 [accept: */*] 

Using HTTP/3 Stream ID: 0 (easy handle 0x558482439780) 

GET / HTTP/3 

Host: http3.yurets.online 

user-agent: curl/7.69.0-DEV 

accept: */* 


HTTP/3 200 

server: nginx/1.16.1 

date: Wed, 19 Feb 2020 14:05:46 GMT 

content-type: text/html 

content-length: 12 

last-modified: Sun, 16 Feb 2020 15:53:01 GMT 

etag: "5e49655d-c" 

alt-svc: h3-24=":443"; ma=86400, h3-23=":443"; ma=86400 
accept-ranges: bytes 


http3.yurets.online --http3 
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Browsers and HTTP/3 


Chrome Stable build (89) May 2021 #enable-duic 
Firefox Stable build (88) May 2021 network.http.http3.enabled 


Reguest URL: https://http3.yurets.online/hello 
Reguest Method: GET 
Remote Address: 34.85.47.11:443 


Status Code: OK ®© 


Version: HTTP/3 


v Response Headers (179 B) 


alt-svc: h3-24=":443"; ma=86400, h3-23=":443"; ma=86400 


https://developers.cloudflare.com/http3/ 
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HTTP/2 vs HTTP/3 


99% latency 


HTTP Protocol/User location 


HTTP2 JP response ms 


HTTP3 JP response ms 
raio | 18 | 144 — 


HTTP/3 response is 1.14x-1.5x faster than HTTP/2. 
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HTTP/3 + DNS 


Type Name TTL 

HTTPS | yurets pro | | auto ~] 
Priority Target Value 

| 1 S | yurets.pro. | | alpn=""h3,h2"" 
0- 65535 | mE 


— a4 


search vlith Google or enter address 


CR O Inspector Console CD Debugger TL Network {} Style Editor (A 


H 


* Perform a request or Reload the page to see detailed information about netwoi 
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> 
" => 
HTTP Compression < 
N ba | MANI 
Less response size => Faster transfer Z Y 
Gzip 1-9 lvls FB 
Brotli 0-11 Ivls ; LEA 


Json 137kb file check: xi 


Response time (sec) / compression lvl File size (KB) / compression lvl 
2.00 150.0 


o 
o 
[7] 
o 
E 
ES) 
o 
o 
S 
o 
o 
[ra 


gzip 5 brotli6 gzip1  gzip9 brotli0 brotli 11 None = Brotli 11 Brotli 6 Gzip 9 Gzip5 Gzip1 Brotli 0 
Ivl Ivl Ivi Ivi Ivi Ivi Ivi lvi Ivi Ivi Ivi Ivi 


compression Ivi compression lvl 


HTTP Cache 


use cache =) 


Etag and Last-modified headers - weak caching headers 
(validators) 


Expires and Cache-control - strong caching headers 
(refresh information) 
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Use fast NS server 
Geo location or CDN 
TFO if suits 

TES 1.3 

Early data if suits 
HTTP2 


Cache + 
Compression 


Try HTTP 3 
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Sum up 


~ 50ms 

~ 300 ms per RTT 

1 RTT 

1 RTT 

1 RTT 

multiple req/resp in parallel 
just use it 


possible 10-50% benefit 
no 1st redirect delay 
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Useful links: 


site: repo: 
yurets.pro github.com/yurymuski/demo-latency 
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(HL) ie bp e 


